Authorize.net does basically the same thing. In fact the code looks identically structured and the site looks almost the same too.... If its SSL-ed then, it comes down to the security of their systems. How else would you do it? I mean, you have to send the info to an SSL protected page somehow via POST, GET or another method, right? What other options are there?